Key steps we have taken to ensure mye-coach complies with GDPR
Step 1 - Awareness
As part of our ISO/IEC 27001:2013 Certification, we must prove our team are fully trained and aware of the data protection rules. So, rest assured that our team are fully aware of GDPR and the broad principles involved, and this continues to remain “top of our minds” in the provision of our products and services.
Step 2 – Accountability
The bottom line here is that mye-coach users need to know:
- what personal data we hold;
- where it came from; and
- who we have shared it with
In summary, however, we have outlined below the key aspects:
How we collect data
Apart from a User’s name and email address (which an employer may add to register a User with their consent) the rest of the data held on the system will be data inserted by the User themselves, i.e. they are in control of their own data.
To ensure Users can clearly see what, when and who added the data we have provided clearer ways for people to see the origins of the data added, i.e. date/time stamp confirming when the record was created and by whom.
Protecting their own Data
There are built-in functions to allow Users to protect their own data, included, but not limited to:
- The ability to hide themself on the system from all Users
- The ability to hide their contact details on the system
- The ability for admins to delete the User, and wipe all forms of personal data
Step 3 - Communicating Privacy Information
Whilst mye-coach is in control of data on the system, it is never removed from the system, sold or used with any third parties and we only have access to relevant data for ongoing User support.
Step 4 - Individual Rights
According to the regulations, Users should have certain rights when their data is involved, and at mye-coach, we could not agree more. This includes the right:
To be informed (Article 13) – we inform users who we are, why we need their personal data, how it will be used by mye-coach, how the User can modify it, how the User can access it, how the User can retract consent to hold and process their data and how the User can raise a complaint, should they wish to do so.
To access (Article 15) – we provide users with access to their personal data and explain in clear, non-technical terms how we process their data.
To rectification (Article 16) – we give users the ability to amend/change inaccurate or incomplete information that the system holds about them.
To erase (Article 17) – in relation to the system data the “right to be erased” has always been available as mye-coach allows users to delete data, but we have also introduced functionality that allows data to be anonymised rather than deleted in ways that align with GDPR.
To restrict processing (Article 23) – we will in certain circumstances prevent any further processing/use of the users data going forward or until they re-grant us the right to process their data.
To data portability (Article 20) – we provide functionality for users to gain on request their personal data in a structured and commonly used format i.e. CSV file. If a user decides to download and export this data from our system, they are warned that once they download this data they become both the controller and processor of the data and must align to GDPR principles.
Step 5 – Access Requests
Users can view, edit and manage their private data in Privacy Settings. They can also make a data access request from here which will go straight to our Data Protection Officer.
There is also an internal process is in place to:
- ensure our staff recognise a request and act upon a data request immediately;
- record and log the access request and
- securely provide the information to the user free of charge within 30 day
Step 6 - Lawful basis for processing personal data
Step 7 - Consent
Step 8 - Children
Mye-coach does not allow users under the age of 18 to access the system.
Step 9 – Data Breaches
We have the right procedures in place to detect, report and investigate a personal data breach.
In our capacity as a data processor, we have measures in place to detect system-based data breaches and will notify Users in accordance with our contractual obligations if a breach occurs.
From the controller’s perspective breaches are potentially more likely to occur because of human intervention. To mitigate this and aid detection there are some simple measures that can but put in place such as ensuring that all Users have unique logins.
Both measures should ensure that any malicious actions will leave an audit trail that can be used to help with detection, reporting and investigation.
Step 10 and 11 - Data Protection - Impact Assessments and Officers
In our humble opinion, the job title here is less important than the actions that we undertake. All our staff are Data Protection Officers but in line with GDPR we have a nominated Data Protection Officer who:
- has the requisite knowledge (now and going forwards) about GDPR
- will champion GDPR within our organisation
- is be responsible for complying with GDPR
- continues to ensure that data protection is “designed in” to our business planning/processes changes
- can evolve, mature and improve how we comply with GDPR and keep our client’s data safe
Regular audits and impact assessments are undertaken to ensure the suitability, relevance and application of our policies and procedures.
Step 12 - International
mye-coach operates in more than one EU member state. Our lead authority is the supervisory authority in the state where our main establishment is, which is the UK.
Beyond and in addition to GDPR…
In addition to aligning to and complying with GDPR we continue to adhere to ISO/IEC 27001:2013 Standards and have multiple layers of security to ensure your data remains secure, private and available. Find out more here